Summary of a Workshop on Software Certification and Dependability
THE NATIONAL ACADEMIES PRESS
Washington, D.C.
www.nap.edu
THE NATIONAL ACADEMIES PRESS
500 Fifth Street, N.W. Washington, DC 20001
NOTICE: The project that is the subject of this report was approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committee responsible for the report were chosen for their special competences and with regard for appropriate balance.
Support for this project was provided by the National Science Foundation, the National Security Agency, and the Office of Naval Research. Any opinions, findings, conclusions, or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsor.
International Standard Book Number 0-309-09429-1 (Book)
International Standard Book Number 0-309-54619-2 (PDF)
Cover designed by Jennifer M. Bishop.
Additional copies of this report are available from: The
National Academies Press
500 Fifth Street, N.W., Lockbox 285 Washington, DC 20055 800/624-6242 202/334-3313 (in the Washington metropolitan area) http://www.nap.edu
Copyright 2004 by the National Academy of Sciences. All rights reserved.
Printed in the United States of America
THE NATIONAL ACADEMIES
Advisers to the Nation on Science, Engineering, and Medicine
The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Bruce M. Alberts is president of the National Academy of Sciences.
The National Academy of Engineering was established in 1964, under the charter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. Wm. A. Wulf is president of the National Academy of Engineering.
The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Harvey V. Fineberg is president of the Institute of Medicine.
The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy’s purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Bruce M. Alberts and Dr. Wm. A. Wulf are chair and vice chair, respectively, of the National Research Council.
COMMITTEE ON CERTIFIABLY DEPENDABLE SOFTWARE SYSTEMS
DANIEL JACKSON,
Massachusetts Institute of Technology,
Chair
JOSHUA BLOCH,
Google, Inc.
MICHAEL DEWALT,
Certification Services, Inc.
REED GARDNER,
University of Utah
PETER LEE,
Carnegie Mellon University
STEVEN B. LIPNER,
Microsoft Corporation
CHARLES PERROW,
Yale University
JON PINCUS,
Microsoft Research
JOHN RUSHBY,
SRI International
LUI SHA,
University of Illinois at Urbana-Champaign
MARTYN THOMAS,
Engineering and Physical Sciences Research Council
SCOTT WALLSTEN,
AEI/Brookings Joint Center and American Enterprise Institute
DAVID WOODS,
Ohio State University
Staff
LYNETTE I. MILLETT, Study Director and Program Officer
PHIL HILLIARD, Research Associate (through May 2004)
PENELOPE SMITH, Senior Program Assistant (February 2004 through July 2004)
COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD
DAVID LIDDLE,
U.S. Venture Partners,
Co-Chair
JEANNETTE M. WING,
Carnegie Mellon University,
Co-Chair
ERIC BENHAMOU
Global Ventures, LLC
DAVID D. CLARK,
Massachusetts Institute of Technology,
CSTB Member Emeritus
WILLIAM DALLY,
Stanford University
MARK E. DEAN,
IBM Systems Group
DEBORAH ESTRIN,
University of California, Los Angeles
JOAN FEIGENBAUM,
Yale University
HECTOR GARCIA-MOLINA,
Stanford University
KEVIN KAHN,
Intel Corporation
JAMES KAJIYA,
Microsoft Corporation
MICHAEL KATZ,
University of California, Berkeley
RANDY H. KATZ,
University of California, Berkeley
WENDY A. KELLOGG,
IBM T.J. Watson Research Center
SARA KIESLER,
Carnegie Mellon University
BUTLER W. LAMPSON,
Microsoft Corporation,
CSTB Member Emeritus
TERESA H. MENG,
Stanford University
TOM M. MITCHELL,
Carnegie Mellon University
DANIEL PIKE,
GCI Cable and Entertainment
ERIC SCHMIDT,
Google Inc.
FRED B. SCHNEIDER,
Cornell University
WILLIAM STEAD,
Vanderbilt University
ANDREW J. VITERBI,
Viterbi Group, LLC
CHARLES N. BROWNSTEIN, Director
KRISTEN BATCH, Research Associate
JENNIFER M. BISHOP, Program Associate
JANET BRISCOE, Manager, Program Operations
JON EISENBERG, Senior Program Officer
RENEE HAWKINS, Financial Associate
MARGARET MARSH HUYNH, Senior Program Assistant
HERBERT S. LIN, Senior Scientist
LYNETTE I. MILLETT, Program Officer
JANICE SABUDA, Senior Program Assistant
BRANDYE WILLIAMS, Staff Assistant
For more information on CSTB, see its Web site at <http://www.cstb.org>, write to CSTB, National Research Council, 500 Fifth Street, N.W., Washington, DC 20001, call (202) 334-2605, or e-mail the CSTB at cstb@nas.edu.
Preface
Systems on which the safety or security of individuals may depend are frequently subject to certification: a formal assurance that the system has met relevant technical standards, designed to give confidence that it has some specific properties—for example, that it will not unduly endanger the public. Today, certification of the dependability of a software-based system frequently relies at least as heavily on assessments of the process used to develop it as it does on the system's observable properties. While these assessments can be useful, few would dispute that direct evaluation of the artifact ought to provide a stronger kind of assurance than the credentials of its production methods could hope to provide. Yet the complexity of software systems, as well as their discrete nature, makes them extremely difficult to analyze unless great care has been taken with their structure and maintenance.
To further understand these and related issues, the High Confidence Software and Systems Program at the National Coordination Office for Information Technology Research and Development initiated discussions with the Computer Science and Telecommunications Board (CSTB) of the National Research Council (NRC). These discussions resulted in agreement to undertake a study to assess the current state of certification in dependable systems, with the goal of recommending areas for improvement. Initial funding for the project was obtained from the National Science Foundation, the National Security Agency, and the Office of Naval Research. The Committee on Certifiably Dependable Software Systems was appointed to conduct the study.
The task of the committee is to identify the kinds of system properties for which certification is desired, describe how that certification is obtained today, and, most important, determine what design and development methods, as well as methods for establishing evidence of trustworthiness, could lead to systems structures that are more easily certified.
To accomplish its mission, the committee divided this study into two phases: a framing phase and an assessment phase. This report is the outcome of the first phase, the framing phase, which included a public workshop organized by the committee and attended by members of industry, government, and academia. Held on April 19-20, 2004, the workshop featured a variety of participants invited to present their views on issues surrounding certification and dependability (see Appendix A for the workshop agenda). Six panels were organized, and each panelist gave a short presentation that addressed the theme of the panel. The workshop panelists are listed in Appendix B. Each panel session was followed by an extensive discussion involving all of the workshop participants and moderated by one or two committee members. The committee met three times: once to plan the workshop, then to hold the workshop, and, last, to distill information from the workshop and develop the report. This report is the committee’s summary of the panelists’ presentations and the discussions that followed.
Although the summary is based on presentations and discussion at the workshop, the participants’ comments do not necessarily reflect the views of the committee, nor does the summary present findings or recommendations of the National Research Council. In fact, the committee took care in writing this report simply to summarize the discussions, and to avoid any bias or appearance of bias in favor of one opinion or another. Because it did not seem sensible to attempt a distillation across panels, the committee tried to record something of the spirit of each individual panel session. Nor is this report intended to be complete; topics that were not discussed at the workshop are not mentioned, however important they might be.
In the second phase of the study, the committee will analyze the information gathered in the workshop and summarized here, along with information and input it gathers from other experts and related studies. This assessment phase will deliver a final report (planned for release in 2005) with findings and recommendations from the committee.
The Committee on Certifiably Dependable Software Systems consists of 13 members from industry and academia who are experts in different aspects of systems dependability, including software engineering, software testing and evaluation, software dependability, embedded systems, human-computer interaction, systems engineering, systems architecture, accident theory, standards setting, key applications domains, economics, and regulatory policy (see Appendix C for committee and staff biographies).
The committee thanks the many individuals who contributed to its work. It appreciates the panelists’ willingness to address the questions posed to them and is grateful for their insights. The study’s sponsors at the National Science Foundation, the National Security Agency and the Office of Naval Research have been most supportive and responsive in helping the committee to do its work. The reviewers of the draft report provided insightful and constructive comments that contributed significantly to its clarity.
The committee is particularly grateful to the CSTB staff: Lynette Millett, program officer, who as the study director for this project has provided excellent advice and assistance throughout; Phil Hilliard, research associate, whose work in note-taking and summarizing discussions, and in obtaining and organizing materials for the committee, has been invaluable; and Penelope Smith, senior program assistant, who deftly handled all kinds of administrative issues, including most of the arrangements for the workshop and associated meetings. The success of the workshop is a testament to their commitment and hard work. Susan Maurizi from the Division on Engineering and Physical Sciences’ editorial staff and Cameron Fletcher made significant editorial contributions to the final manuscript.
Daniel Jackson, Chair
Committee on Certifiably Dependable Software Systems
Acknowledgment of Reviewers
This report has been reviewed in draft form by individuals chosen for their diverse perspectives and technical expertise, in accordance with procedures approved by the National Research Council’s (NRC’s) Report Review Committee. The purpose of this independent review is to provide candid and critical comments that will assist the institution in making the published report as sound as possible and to ensure that the report meets institutional standards for objectivity, evidence, and responsiveness to the study charge. The review comments and draft manuscript remain confidential to protect the integrity of the deliberative process. We wish to thank the following individuals for their review of this report:
Anthony Hall, Independent Consultant
John C. Knight, University of Virginia
William Scherlis, Carnegie Mellon University
William Stead, Vanderbilt University
Jeannette Wing, Carnegie Mellon University
Although the reviewers listed above have provided many constructive comments and suggestions, they were not asked to endorse the conclusions or recommendations, nor did they see the final draft of the report before its release. The review of this report was overseen by Daniel P. Siewiorek, Carnegie Mellon University. Appointed by the National Research Council, he was responsible for making certain that an independent examination of this report was carried out in accordance with institutional procedures and that all review comments were carefully considered. Responsibility for the final content of this report rests entirely with the authoring committee and the institution.